API Management security vs XSUAA security ...;Little confused about which to leverage

We have developed few APIs in SAP BTP with RAP (or going forward we can use CAP) .How is the security handled .

As per my understanding there are to way .

1:) XSUAA .This will create a service key .When the 3rd party system will use this URL , They will give the Client ID and Client Secret as the Username and Password .

2:)API management :- We maintain the API in API management tool. It will give a API key .Use the API key in header to when calling the API .

Question 1:-

Is my understanding right , these are the only two ways .

Question 2:-

And which one to use .Can we have a project will use only XSUAA and we don't maintain the API in API management tool

Or is it mandatory that we use API management .???